Detecting lag switch cheating in game

ABSTRACT

Detecting lag switch cheating in a gaming network is disclosed. Data packets are received from a client. The data packets have tracking data including at least one of a sequence number and a time stamp. The tracking data is monitored to determine that a cheat-detection event has occurred.

BACKGROUND OF THE INVENTION

Field of the Invention

The present invention generally relates to network gaming and more particularly to detecting lag switch cheating in a network game.

Description of Related Art

Conventionally, users of electronic games compete with one another by selecting a two-player option associated with a particular electronic game via a single home gaming console. Accordingly, two players can play at the same time or one-at-a-time in order to compete for points or other awards associated with the particular electronic game.

As electronic game consoles have become more popular and network technologies have become more pervasive, more options for head-to-head competition have become available. Some electronic game consoles are equipped with modems or other network connectors for allowing users to communicate over a network through the exchange of data related to the game. By communicating over a network, users can connect to various other users' gaming consoles either directly or via intermediate computing nodes (e.g., a central server or other game consoles in a network) and compete against those various other users while playing a network game.

Disadvantageously, some users manipulate the network game in order to gain unfair advantages while competing with other users playing the same network game. For example, a user may delay the rate at which the user's data is sent to other users so that the various other users do not receive the user's data in time to react appropriately. Unscrupulous game players may introduce this delay in transmission of game play data through a lag switch.

Adding latency to the network through a lag switch has the effect of making the cheater's online game character appear to be at an old location (or invisible). In reality, the cheater may have positioned his online game character near an opponent. The cheater—now being strategically positioned—may kill his opponent and/or subsequently enable the normal flow of network traffic and continue with unabated game play.

Utilizing lag switch cheating is especially problematic in networked ‘community’ game-play. Pervasive cheating in a gaming community decreases user enjoyment of participating in a networked community game environment. For example, a particular user playing a network game without any illicit outside aides such as a lag switch is at a distinct disadvantage versus a user who is making use of such illicit aides. The user who is not cheating may be overpowered, outgunned, or otherwise inferior in some respect to a user who is cheating regardless of the individual skills of those users. If the user who does not cheat is continually defeated by a user who does cheat—and often in quick and decisive fashion—the non-cheating user may lose interest in a particular game, a particular game network, or a particular product or service provider.

This loss of interest adversely affects game developers and network service providers who will sell fewer game titles or find fewer users utilizing their network game services, respectively. As such, there is an inherent interest for game developers, service providers, and honest game users to identify and eliminate cheating in a network or community game environment.

SUMMARY OF THE INVENTION

In one claimed embodiment, a method for detecting lag switch cheating in a gaming network is disclosed. The method includes receiving data packets from a client. The data packets have tracking data including a sequence number and/or a time stamp. The tracking data is monitored whereby it is determined whether a cheat-detection event has occurred.

In a second claimed embodiment, a system for detecting lag switch cheating is disclosed. The system includes a computing device that receives data packets from a client. The data packets have tracking data including a sequence number and/or a time stamp. A monitoring module is executed to monitor the tracking data. An analysis engine is determines, from the monitoring of the tracking data, whether a cheat-detection event has occurred.

In another claimed embodiment, a non-transitory computer-readable storage medium is disclosed. Embodied upon the medium is a program. The program is executable by a computing device to perform a method for detecting lag switch cheating in a gaming network. The method includes receiving data packets from a client. The data packets have tracking data including a sequence number and/or a time stamp. The tracking data is monitored whereby it is determined whether a cheat-detection event has occurred.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates exemplary network architecture for validating network game users.

FIG. 2 is a block diagram of an exemplary electronic entertainment system including a control processor, multiple processing units, and a multitude of local memories and that may be used in implemented embodiments of the presently claimed invention.

FIG. 3 is a lag detection module that may implement the lag detection methodology of FIG. 4.

FIG. 4 is a flow diagram of an exemplary process for detecting lag switch cheating.

DETAILED DESCRIPTION

FIG. 1 illustrates exemplary network architecture for validating network game users. The elements identified in FIG. 1 may include various alternatives, equivalents, or derivations thereof. One or more clients 102 may include one or more network games 104. Network game 104 may be built-in (e.g., pre-loaded) to the client 102 or be introduced through an optical disk or other data storage medium. Network game 104 may also be obtained over a network. The client 102 may be connected to a server 108 via a communications network 106 or to one another through an ad hoc network.

The client 102 may comprise a game console such as a PlayStation® 3, a laptop computing device, a portable game device such as the PlayStation® Go, a desktop computing device, a Smart Phone, or any other device capable of executing the network game 104 and connecting to either the network 106 or ad hoc network. In some embodiments, the client 102 may be identified by an identification number such as a client ID or an address mechanism such as an IP address. In other embodiments, a user of the client 102 may ‘sign on’ to a network with a user name and/or password, which may be temporarily or permanently associated with the client 102.

The server 108 may include the network game 104 and the clients 102 may access the network game 104 on the server 108 via the network 106. The network game 104 on the server 108 may be the entire game, a portion of the game, data related to the game or simply a node allowing for the pass though, observation and/or collection of data related to the game 104 as the game 104 is played by users in the game community. The network game 104 may be similarly organized at various clients 102 (e.g., portions of the game or game data related to the game). Network game 104 may also be provided through a third-party content library server. The library server may or may not be a participating member of the presently disclosed validation architecture.

It should be understood that the reference to a client 102 and a server 108 is merely for the convenience of understanding various embodiments of the present invention. Embodiments of the present invention may be implemented in the context of a peer-to-peer network, a client-server network, or within a peer-group (e.g., a specified group of peers). A client may, therefore, function as a server and vice versa depending on the timing and the nature of a data exchange. For example, various clients in a peer-to-peer network may each comprise a portion of a network game 104 or data related to that game 104 and may send and receive the same. As such, any reference to a client or a server is meant to be inclusive of operations performed by one or both computing entities unless specified otherwise by a specific limitation in the claims. In some instances, a device with client/server functionality may be referred to by the generic moniker, ‘network node,’ ‘computing node,’ or ‘network device.’ In that regard, client 102 and server 108 may both be considered network or computing nodes or a network device.

The network game 104 may include software processed on or by the client 102 and/or that allows for or facilitates communication and data exchanges with the other clients 102 and server 108 via the network 106. The network 106 may include, for example, the Internet. Other proprietary or closed networks may be used either exclusively or in conjunction with the Internet. Certain security protocols or encryption methodologies may be used to ensure the security of data exchanges over network 106, especially if the network 106 is a publicly accessible network such as the Internet. Users associated with each of the clients 102 may interact with other users playing the network game 104 despite not being physically present with one another or sharing a common gaming device or console.

In one exemplary embodiment, the server 108 may monitor the users playing the network game 104 via the network 106. The clients 102 may request data from the server 108, such as information pertinent to the particular network game 104 being played, bug patches, and so forth. Any type of communication exchange between the clients 102 and the server 108 is within the scope of the various embodiments of the present invention. Further, in some embodiments of the present invention, more than one server 108 may be connected to the network 106 for the purpose of communicating with the clients 102. For example, back-up or redundancy servers as well as servers with particular tasks such as storing identification information or preferences related to a particular user as well as servers tasked with certain DRM, advertising, or payment responsibilities.

In other embodiments of the present invention, the clients 102 may monitor the network games 104 being played by the other clients 102 (e.g., as individual nodes in a peer-to-peer network or peer-group network). The clients 102 may communicate data generated during the monitoring process to the server 108 or the clients 102 may store and process the data themselves. For example, in a peer-to-peer network scenario, each of the nodes in the network may monitor other nodes in the network for certain illicit behaviors such as lag switch cheating.

FIG. 2 is a block diagram of an exemplary electronic entertainment system 250 including a control processor, multiple processing units, and a multitude of local memories and that may be used in implemented embodiments of the presently claimed invention. The electronic entertainment system 250 illustrated in FIG. 2 is, specifically, one based on a Cell processor 252, which is a joint development of Sony Computer Entertainment Inc., Kabushiki Kaisha Toshiba, and International Business Machines Corporation. Certain aspects of the Cell processor are disclosed in U.S. patent publication number 2002-0138637 for a “Computer Architecture and Software Cells for Broadband Networks,” the disclosure of which is incorporated herein by reference. The system 250 may constitute a component of client 102 (or any other computing node in the network 106) and for playing the network game 104. The elements identified in FIG. 2 are exemplary and may include various alternatives, equivalents, or derivations thereof.

Through the use of the aforementioned Cell processor, data and applications may be processed and packaged into uniquely identified and uniformly formatted software cells. The uniformity of structure and unique identification facilitates the processing of applications and data throughout a network of Cell processor equipped computing devices. For example, one computing device may formulate a software cell but can distribute that cell to another device for processing. Thus, the cells may migrate throughout a network for processing on the basis of the availability of processing resources on the network.

The cell processor 252, as illustrated in FIG. 2, includes a main memory 254, a single power processor element (PPE) 256 and eight synergistic processor elements (SPE) 258. The cell processor 252 may be configured, however, with more than one PPE and any number of SPEs 258. Each SPE 258 comprises a synergistic processor unit (SPU) and a local store (LS).

Memory 254, PPE 256, and SPEs 258 may communicate with each other and with an I/O device 260 over, for example, a ring-type-element interconnect bus (EIB) 264 coupled to a bus interface controller (BIC). The PPE 256 and SPEs 258 may access the EIB 264 through bus interface units (BIU). The PPE 256 and SPEs 258 may access the main memory 254 over the EIB 264 through memory flow controllers (MFC) and memory interface controller (MIC).

Memory 254 may comprise a program 262 that implements executable instructions. The instructions may be read from a CD/ROM or other optical disc in CD/DVD reader 266 coupled to the I/O device 260, the CD/ROM or other optical disc being loaded into the reader 266. The CD/ROM, too, may comprise a program, executable instructions, or other data 274.

PPE 256 may be a standard processor capable of stand-alone processing of data and applications. PPE 256 may schedule and orchestrate the processing of data and applications by SPEs 258 and the associated SPU. The SPU may be a single instruction, multiple data (SIMD) processor. Under the control of PPE 256, the SPUs may process data and application in a parallel and independent manner. MIC may control accesses by PPE 256 SPUs to data and applications in main memory 254.

A user of the system 250 may provide instructions via a controller interface (not shown), which may be coupled to a control device comprising, for example, a joystick, directional buttons, and/or other control buttons. For example, the user may instruct the system 250 to store certain game information on a memory card, which may be removable (e.g., a flash memory or other non-volatile memory card), or may instruct a character in a game to perform some specified action. Other devices may be connected to the system 250 via a USB or IEEE 1394 interface, such as an external hardware device allowing for illicit gaming behavior (i.e., cheating).

Some embodiments of the system 250 may comprise a network adaptor configured to provide the hardware functionality necessary for the system 250 to connect to a network. The network adaptor may include an Ethernet connection 242. Through an Ethernet connection, a network cable (e.g., a 100 Base-TX or 10-Base T) may be coupled to the network adaptor for connection to a network. The network cable may, for example, be communicatively coupled to a DSL or cable modem. The network cable may also be communicatively coupled to, for example, a router via a LAN port; the router may then be coupled to a DSL or cable modem through a WAN port.

In addition, or alternatively, the Ethernet connection may allow for a network cable to be connected to a wireless Ethernet bridge. The wireless Ethernet bridge may be communicatively coupled to a wireless router utilizing, for example, an 802.11x protocol. The wireless router may be further communicatively coupled to a cable or DSL modem. In some instances, a wireless processor or other wireless network access device may be embedded within system 250.

FIG. 3 is a lag detection module 300 that may implement the lag detection methodology of FIG. 4. The elements identified in FIG. 3 are exemplary and may include various alternatives, equivalents, or derivations thereof.

Rules library 304 encompasses rules and data concerning various identifiable aspects of the gaming environment or the hardware and/or software related to generating that environment, including information related to network latency. Rules may be independently generated by a game developer or provided through a system or network administrator. Rules may likewise be generated through monitoring of network conditions by monitoring module 306 thereby developing a rule based on its observations of a particular network game 104.

A rules library 304 may be provided for storing the pre-defined or generated rules. Rules may be embodied in any variety of file and/or data types and the present invention does not seek to impose or otherwise limit the implementation of the same. Various other data may be stored in the rules library 304 according to some embodiments of the present invention. For example, statistics about one or more users of the network game 104 may be stored in the rules library 304, or any other storage medium or locale, according to some embodiments of the present invention. Alternative storage of statistics or other information may occur remotely from a network node but is otherwise accessible via the network 106.

A monitoring module 306 may be configured to monitor user activity with respect to the network game 104 at the client 102 via data exchanges with the server 108 via the network 106. Any type of monitoring may be implemented by the monitoring module 306 (e.g., periodic review of data exchanges, constant review of data exchanges, review of data exchanges from particular nodes, etc.). According to one embodiment of the present invention, the monitoring module 306 may utilize rules in the rules library 304 and analysis provided by the analysis engine 308 to passively listen for or detect user activity that deviates from typical user activity associated with the network game 104 or that might suggest the presence of such activity, including lag switch cheating.

In some embodiments, the monitoring module 306 may be located in particular client nodes within the network. For example, a particular network game 104 (e.g., one distributed on a CD-ROM) may include certain aspects of a validation system and related software embedded with the game software. As such, any client 102 in the network 106 may possess validation functionality in addition to a server 108.

A client 102 with validation software (e.g., monitoring module 306) may operate by itself or may operate in conjunction with the server 108 to ensure valid game play in the network. Client 102, in one embodiment, may possess the monitoring module 306 and rules library 308 in addition to other possible aspects of the validation architecture illustrated in FIG. 3 through a particular network game 104 title. As such, the client 102 may observe another client 102 in the network. If the monitoring module 306 observes illicit behavior through a data exchange with another client 102 in the network 106 (as might be identified through particular rules in the rules library 304 and/or determinations by the analysis engine 308), the client 102 observing such illicit behavior may take certain action in response to the illicit behavior.

Alternatively, the valid client may report the invalid client to the server 108 and the server 108 may engage in more detailed analysis of the purportedly illicit behavior through. The server 108 may also engage in certain behavior designed to maintain the integrity of the gaming network such as dismissing the invalid client, overwriting invalid code through a pushed update, maintain a record of the invalid client and its related user and so forth. These various integrity maintenance actions may also be executed by client 102 (e.g., dismissals) or by client 102 in response to an instruction or request by the server 108.

By sharing and/or distributing validation responsibilities, bandwidth consumption and processing power of the server 108 may be alleviated and possibly avoids the involvement of an additional computing device in the validation relationship. That is, one client 102 may validate another and vice-versa through the course of regular data exchanges instead of using the server 108 as a validating intermediary.

Validation may also occur amongst a plurality of clients 102 in the network 106. For example, a first client 102 may engage in monitoring for a particular period of time with those responsibilities then taken over by a second client 102 at a later time. By randomly reassigning monitoring responsibilities (e.g., via server 108), more adept cheaters that may be able to avoid detection by a single monitoring entity must now deal with a constantly random and reassigned monitoring entity or entities.

Certain embodiments may also make use of group validation wherein a particular client 102 must be validated by two or more other clients 102 in order for that client 102 to be deemed valid or invalid. Group validation may occur in conjunction with the server 108 whereby the server may take into account the validation information from the group of clients 102 and make an ultimate determination as to whether game play is allowed to continue for that particular client 102. One of the one or more clients 102 participating in the group validation may alternatively be assigned lead validation responsibility and take appropriate action in response to generated validation information. Leadership responsibilities may also be distributed amongst the members of the group wherein the group acts collectively or certain client 102 members of the group carry out designated responsibilities.

Reassignment of monitoring responsibilities may also make use of client 102 with idle processing and bandwidth. For example, a client 102 might be connected to the network 106 but is not actively playing a game 106 or is currently in a ‘waiting room’ or ‘game lobby’ awaiting entry into a particular game 106. The available processing power of that otherwise idle client 102 may then be put to use through validation assignments or actual validation activity.

In alternative embodiments, a client 102 may download certain information from the server 108 such as rules or updates for the rules library 304 that may be only partially embedded with the game software of a network game 104. These updates or downloaded libraries may be temporarily stored in, for example, main memory 210 or a memory card 218. Rules updates or other related downloads may occur as a part of a regular schedule as determined by the server 108, as a part of a query by a client 102 to the server 108 for any variety of information, or during an initial log-on process wherein user names and passwords might be verified and that otherwise indicate the allowed permission of a particular user or client 102 in the network 106. The monitoring module 306 may observe activity in the network game 104 violating rules related to network latency and indicative of lag switch cheating.

The monitoring module 306 may forward any flags or unusual activity to the analysis engine 308. The analysis engine 308 may analyze the flagged activity to determine whether the activity is, in fact, illegal with respect to the game environment constraints of the network game 104. In other words, the analysis engine 308 determines whether the user activity, in fact, violates the rules associated with the network game 104.

The monitoring module 306 may receive data from the network game users as the network game users interact with the network game 104. For example, the client 102 may periodically post data to the server 108 or to the other clients 102 related to the network game 104 and/or the network game user's interaction with the network game 104. The monitoring module 306 reviews (e.g., ‘listens to’) the data as it is posted in order to determine whether the network game user associated with the client 102 that posts the data is cheating and/or failing to adhere to the one or more rules associated with the network game 104, as defined by the rules library 304. In an exemplary embodiment, the monitoring module 306 may forward the posted data to an analysis engine 308 and the analysis engine 308 analyzes and/or evaluates the posted data in light of rules from rules library 304 to determine whether the network game user 104 associated with the client 102 that posts the data is cheating and/or failing to adhere to the one or more rules associated with the network game 104.

If the analysis engine 308 determines that the user is cheating, the offending node may be ejected, allowed to continue playing, and so forth. In some embodiments, the server 108 or sending node may resolve the violation (i.e., cheating activity) whereby various types of resolution may be employed. In some embodiments of the present invention, the node tasked with resolving the behavior (e.g., server 108) may disable a cheating device or offending code presently running on the system 250 by sending a patch to remove, modify, or add to the offending software (e.g., a computing device tasked with maintaining community integrity delivers a command to the offending node whereby the offending node is instructed to modify its own memory at a specified location and to a specified value).

In some embodiments, the analysis engine 308 may generate a list of users or client devices 102 that violate the rules associated with the network game 104. In other words, the analysis engine 308 may generate a cheater ‘rap sheet.’ The cheating users may then be monitored more often by the monitoring module 306 according to some embodiments or employed as a variable for generating future rules.

In some embodiments, the client 102 may include certain or all of the components discussed in FIG. 3 with regard to server 108 whereby device becomes more of a generic network node that may encompass server functionality, client functionality, both or neither (e.g., a router, buffer or intermediate point on a network). Accordingly, the client 102 can detect cheating activity occurring on other clients 102, as discussed herein.

Nodes may also act in peer-groups whereby, for example, ten particular nodes constitute a group. Groups may be defined by the particular needs or nature of a particular network environment. For example, a group may constitute all players of a network game 104. A group may constitute all players of a network game 104 and participating via a particular ISP. A group may also constitute players in a certain ‘game room,’ that is, players that have been invited to participate with one another or otherwise entered a particular gaming environment of particular users. A group may be defined by any parameter that allows for delineation of one user from another (e.g., age, experience, game device being used, time logged on, type of network connection, bandwidth availability, etc.).

Other embodiments may provide for group participation in analysis of certain behavior. For example, multiple nodes (via monitoring module 306) may observe behaviors from a particular node. The behaviors observed may be identical or each involving different game behavior information. In some embodiments, an approval (e.g., validation) of same or varying behaviors as observed by various nodes may be required by all or a certain percentage of the observing nodes to further ensure the validity of the observed node in the community network.

Furthermore, although various components are discussed in connection with FIG. 3, the server 108 and/or the client 102 may include more or fewer components and still fall within the scope of various embodiments of the present invention. For example, responses to illicit behaviors may be carried out by a separate integrity module (not shown) in conjunction with or independent of, for example, analysis engine 308 as referenced above.

FIG. 4 is a flow diagram of an exemplary process 400 for detecting lag switch cheating. Although FIG. 1 depicts a client-server environment, the methodology of FIG. 4 may be implemented in a peer-to-peer environment. It should also be noted that computing nodes implemented in the context of the methodology of FIG. 4 may include hardware and/or software and/or firmware including various executable modules and engines.

The steps identified in FIG. 4 (and the order thereof) are exemplary and may include various alternatives, equivalents, or derivations thereof including but not limited to the order of execution of the same. The steps of the process of FIG. 4 (and its various alternatives) may be embodied in hardware, firmware, software, or a combination thereof, including a non-transitory computer-readable storage medium (e.g., optical disc or memory card). Said storage medium may comprise a program or instructions executable by the processor of a computing device.

At step 402, data packets are received from a client 102 by a computing device, such as the server 108. In a peer-to-peer embodiment, the data packets may be received by one or more of the clients 102 and/or the server 108. A plurality of the data packets have tracking data contained therein. The tracking data may include at least one of a sequence number and a time stamp. In some embodiments, the sequence numbers and/or time stamps may be encrypted. This may, for example, prevent cheaters from manipulating the tracking data.

At step 404, a monitoring module, which is stored in memory, is executable by a processing device to monitor the tracking data. The monitoring module may monitor one or more devices, such as clients 102, interacting with a network game 104. The monitoring module may keep track of the sequence numbers and time stamps (i.e., the tracking data) of the data packets.

At step 406, an analysis engine operates to determines, from the monitoring of the tracking data, whether a cheat-detection event has occurred. The analysis engine identifies one or more indicia of violation of one or more rules that define fair game play, including aberrant lag time, which may be flag a user associated with a cheat-detection event.

The analysis engine may analyze sequence numbers of data packets to detect data packet loss. Packet loss occurs when at least one data packet traversing a network fails to reach its intended destination. The analysis engine may analyze time stamps of data packets to detect changes in latency. ‘One-way latency’ is the time from the source sending a packet to the destination receiving the packet. ‘Round-trip latency’ is the time from source to destination plus the one-way latency from the destination back to the source. The instant system may detect packet loss, changes in latency, or both.

As mentioned, the analysis engine may analyze sequence numbers of data packets to determine packet loss (i.e., if data packets are missing). For example, a data packet received at the server 108 from a given client 102 may have a sequence number of S (where S represents an integer) associated therewith. The next highest sequence number received at the server 108 may be S+200. If the intermediate data packets are not received at the server 108 then this may be evidence that a cheater is intentionally causing packet loss.

The analysis engine may analyze time stamps of data packets to determine if additional latency has occurred on the network, as mentioned. The analysis engine may determine this by observing if and when there are changes in the deltas between the time stamps of packets leaving different clients 102. Changes in latency might indicate that a cheater is intentionally slowing, delaying, or stopping network traffic. In some embodiments, for example in a peer-to-peer configuration, monitoring and analyses may be performed within the clients 102. In some embodiments, for example in a client-server configuration, monitoring and analyses may be performed at the server 108.

A cheater may cheat in this manner by use of, for example, a lag switch. The cheater may stop or delay his send traffic, both his send and receive traffic, and so forth. In a peer-to-peer configuration, other users may flag suspicious activity that could be indicative of cheating. Network states may be recorded in a buffer. When a predetermined number (one or more) of players flag a suspected cheater, then the information may be sent to a moderator who may examine the evidence and possibly take action (such as penalizing the suspected cheater). In another embodiment, these actions may be performed automatically. In a client-server configuration, the server 108 may aggregate data from various clients 102 in order to perform analysis of the data.

The analysis engine analyzes the tracking data of one or more data packets with respect to various thresholds. When a threshold has been met, it then may be determined that a cheat-detection event has occurred. Exemplary thresholds may include 60 packets lost, three seconds of no network traffic, 10 seconds of added latency, and so forth. However, these numbers are only examples and any suitable threshold(s) are contemplated in various embodiments according to the present technology. Sometimes these thresholds may be dependent on the specific game.

If a determination has been made that a cheat-detection event has occurred, then the process proceeds to step 408. If no determination has been made that a cheat-detection event has occurred at step 408, then the process proceeds to step 410.

At step 410, the clients 102 associated with other players in the network game 104, and/or the server 108, may send a cheat message to the user suspected of cheating. A cheat message may be sent to the network game 104 of the client 102 associated with the suspected cheater signifying that he is suspected of cheating.

After the network game 104 of the suspected cheater has received a cheat message, the cheater's network game 104 may initiate a callback in the network game 104 so that the network game 104 may decide how to proceed. The suspected cheater may be penalized in some fashion. For example, a “Network Interrupted” icon or the like may be placed on the suspected cheater's screen. The suspected cheater's game character may be moved back to its pre-lag location or last good location where no cheating was detected. The system may stop accepting input from the suspected cheater for N number of seconds, where N may be any real number. When a given number of callbacks, X, have been initiated then the network game 104 may disconnect the suspected cheater from the network game 104. X may be any integer greater than or equal to one. Different games may have different types of penalties and thresholds for detecting cheating. Any suitable penalty is within the scope of various embodiments according to the present technology. After step 408, the process proceeds to step 410.

At step 410, a determination is made as to whether the network game 104 is over. If the network game 104 has ended then the process ends. However, if the network game 104 has not ended then the process returns to step 404.

It is noteworthy that many games are continually sending network traffic (even for a character that is presently motionless in the game). However, other games do not continually send network traffic in such a scenario. One might erroneously misinterpret this latter scenario to be indicative of packet loss. Other games send network traffic at set intervals. The present technology, by use of time stamps and sequence numbers, advantageously works with all types of games.

As discussed herein, embodiments the methods for detecting lag switch cheating may be applied to a peer-to-peer environment or a client-server environment. Various modules and engines may be located in different places in various embodiments. For example, the monitoring module and/or the analysis engine may be located at one or more clients 102 in some exemplary embodiments.

In various embodiments according to the present invention, determination of whether a game player is engaged in lag switch cheating may occur through a particular client device (e.g., a gaming system) regularly reporting game data to, for example, a central game server (like server 108 of FIG. 1) or another game player's network device (like client 102 of FIG. 1). Analysis of that game data may take place as the game data is processed by the appropriate network device. For example, game data generated by one player may be analyzed by an opposing player's client with regard to abiding by particular game metrics as the first game player's game data is processed for display on the opposing player's gaming device. Similar analysis may take place at a central server prior to the game data being sent by the central server to another game player or players.

While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. For example, any of the elements associated with the client 102, the network game 104, and/or the server 108 may employ any of the desired functionality set forth hereinabove. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments.

The present invention may be further implemented in a common network game 104 that is operable over a mixed network of end user devices (e.g., clients 102). For example, one client device 102 may be a personal computer; a second client device 102 may be a home entertainment system such as a PlayStation®2 or PlayStation®3 available from Sony Computer Entertainment Inc. Another client device 102 may be a portable gaming device such as a PSP™ (also from Sony Computer Entertainment Inc.) whereas a fourth client 102 may be a home entertainment system of a different manufacture such as an Xbox as manufactured by Microsoft Corporation or Wii as manufactured by Nintendo Co., Ltd. The present anti-cheat methodologies described herein are fully intended to be operable amongst a related or non-related group of devices. It is noted that embodiments according to the present invention are not limited to anti-cheat methodologies. 

What is claimed is:
 1. A method for detecting cheating in a gaming network, the method comprising: generating a first set of rules, wherein the first set of rules define acceptable user activity in a gaming network, and wherein the generated rules are defined based on observations of a performance of the gaming network; receiving data packets from a client in the gaming network, wherein the data packets are received at a network interface communicatively coupled to the gaming network and have tracking data that includes at least one of a sequence number or a time stamp indicating the progression of a game character through a game environment in the gaming network, and wherein the received data packets correspond to user activity for the client in the gaming network; monitoring the user activity for clients that may violate the generated first set of rules, wherein the user activity is monitored in response to execution of a monitoring module by a processor, and wherein the monitoring module is stored in memory; and determining that a client violated the generated first set of rules thereby identifying the client as a deviant client, wherein the determination that the client violated the generated first set of rules includes: identifying one or more pre-defined thresholds corresponding to indicia for changes in deltas between tracking data of data packets associated with the client and tracking data of data packets associated with different clients; determining that there are changes in deltas between tracking data of data packets associated with the client and tracking data of data packets associated with different clients; detecting that the determined delta changes between the different clients in view of the delta changes with the client exceeds one or more of the pre-defined thresholds used to identify cheating; and identifying that the detected delta changes between the different clients and the gaming network indicate cheating based on the one or more identified pre-defined thresholds, wherein the evaluation and the pre-defined thresholds are based on parameters associated with the performance of the gaming network identified as acceptable user activity.
 2. The method of claim 1, further comprising identifying at least one user associated with the client sending the monitored data packets that include indicia exceeding the predefined threshold.
 3. The method of claim 2, further comprising sending information over the gaming network indicating that the client sending the monitored data packets is suspected of cheating, the information sent by way of a network interface communicatively coupled to the gaming network.
 4. The method of claim 1, further comprising penalizing the at least one user associated with the client sending the monitored data packets that include indicia exceeding the predefined threshold.
 5. The method of claim 1, wherein the sequence number is encrypted.
 6. The method of claim 1, wherein the change in deltas of the sequence number of the client is indicative of the existence of packet loss.
 7. The method of claim 1, wherein the time stamp is encrypted.
 8. The method of claim 1, wherein the change in deltas of the time stamps of the client is indicative of the existence of a change in latency.
 9. The method of claim 1, wherein the monitoring is performed at a host server in the gaming network.
 10. The method of claim 1, wherein the monitoring is performed at a peer client in the gaming network.
 11. A system for detecting cheating in a gaming network, the system comprising: a rules library that includes a generated first set of rules defining acceptable user activity in a gaming network, wherein the generated first set of rules are defined based on observations of a performance of the gaming network; a network interface that receives data packets from a client in the gaming network, wherein the data packets have tracking data that includes at least one of a sequence number or a time stamp indicating the progression of a game character through a game environment in the gaming network, and wherein the received data packets correspond to user activity for the client in the gaming network; a monitoring module stored in memory and executable by a processor to monitor the user activity for clients that may violate the generated first set of rules; and an analysis engine stored in memory and executable by a processor to determine that a client violated the generated first set of rules thereby identifying the client as a deviant client, wherein the determination that the client violated the generated first set of rules includes: identifying one or more pre-defined thresholds corresponding to indicia for changes in deltas between tracking data of data packets associated with the client and tracking data of data packets associated with different clients; determining that there are changes in deltas between tracking data of data packets associated with the client and tracking data of data packets associated with different clients, detecting that the determined delta changes between the different clients in view of the delta changes with the client exceeds one or more of the pre-defined thresholds used to identify cheating, and identifying that the detected delta changes between the different clients and the gaming network indicate cheating based on the one or more identified pre-defined thresholds, wherein the evaluation and the pre-defined thresholds are based on parameters associated with the performance of the gaming network identified as acceptable user activity.
 12. The system of claim 11, wherein execution of the analysis engine by the processor further identifies at least one user suspected of cheating.
 13. The system of claim 12, wherein the network interface also sends information over the gaming network indicating that the at least one user is suspected of cheating.
 14. The system of claim 11, further comprising penalizing the at least one user associated with the client sending the monitored data packets that include indicia exceeding the predefined threshold.
 15. The system of claim 11, wherein the sequence number is encrypted.
 16. The system of claim 11, wherein the change in deltas of the sequence number of the client is indicative of packet loss.
 17. The system of claim 11, wherein the time stamp is encrypted.
 18. The system of claim 11, wherein the change in deltas of the time stamps of the client is indicative of the existence of a change in latency.
 19. The system of claim 11, wherein the monitoring module is located at a host server in the gaming network.
 20. The system of claim 11, wherein the monitoring module is located at a peer client in the gaming network.
 21. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for detecting cheating in a gaming network, the method comprising: generating a first set of rules, wherein the first set of rules define acceptable user activity in a gaming network, and wherein the generated rules are defined based on observations of a performance of the gaming network; receiving data packets from a client in the gaming network, wherein the data packets have having tracking data that includes at least one of a sequence number or a time stamp indicating the progression of a game character through a game environment in the gaming network, and wherein the received data packets correspond to user activity for the client in the gaming network; monitoring the user activity for clients that may violate the generated first set of rules, wherein the user activity is monitored in response to execution of a monitoring module by a processor, and wherein the monitoring module is stored in memory; and determining that a client violated the generated first set of rules thereby identifying the client as a deviant client, wherein the determination that the client violated the generated first set of rules includes: identifying one or more pre-defined thresholds corresponding to indicia for changes in deltas between tracking data of data packets associated with the client and tracking data of data packets associated with different clients; determining that there are changes in deltas between tracking data of data packets associated with the client and tracking data of data packets associated with different clients; detecting that the determined delta changes between the different clients in view of the delta changes with the client exceeds one or more of the pre-defined thresholds used to identify cheating; and identifying that the detected delta changes between the different clients and the gaming network indicate cheating based on the one or more identified pre-defined thresholds, wherein the evaluation and the pre-defined thresholds are based on parameters associated with the performance of the gaming network identified as acceptable user activity. 